NEWS AND NOTES RELEVANT TO CYBER/DATA SECURITY AND COMPLIANCE

Next year’s examination priorities of the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission were announced on December 20, 2018, and cover six broad, albeit non-exhaustive, topics.1

Matters of importance for retail investors, including seniors and those saving for retirement;

Compliance and risks in registrants responsible for critical market infrastructure;

Many of the six broad topics remain the same as those included in the 2018 OCIE Examination Priorities. It is important to note, however, that the OCIE leadership team specifically indicated that the 2019 priorities reflect meaningful changes from the prior year, particularly as new risks have emerged and existing risks were either heightened or mitigated.

Retail Investors, including Seniors and those Saving for Retirement

The first identified priority is the protection of retail investors. OCIE emphasizes the following areas of focus, most of which continue and/or expand upon existing examination priorities:

Fees and Expenses: Disclosure of the Costs of Investing;

Conflicts of Interest;

Senior Investors, and Retirement Accounts and Products;

Portfolio Management and Trading;

Never-Before- or Not-Recently-Examined Investment Advisers;

Mutual Funds and Exchange-Traded Funds;

Municipal Advisors;

Broker-Dealers Entrusted with Customer Assets; and

Microcap Securities.2

Compliance and Risk in Registrants Responsible for Critical Infrastructure

The second identified priority is compliance and risks in critical infrastructure. In this area, OCIE will continue to focus examinations on:

“Systematically Important” Clearing Agencies;

Entities Subject to Regulations Systems Compliance and Integrity (SCI), including the effectiveness of the implementation of such entities’ compliance policies and procedures;

Transfer Agents, including “transfers, recordkeeping” and asset safeguarding; and

National Securities Exchanges, including exchanges’ internal audit and surveillance programs as well as funding for regulatory programs.

Focus on FINRA and MSRB

OCIE will continue to examine: (1) FINRA’s operations and regulatory programs and the quality of its examinations of broker-dealers; and (2) the effectiveness of particular MSRB operational and internal policies, procedures and controls.

Digital Assets

New to OCIE’s priorities is a focus on the examination of participants in the digital asset market (including broker-dealers, trading platforms, and investment advisers) and the associated risks presented by that market to retail investors. As part of its entry into examining the digital assets space, OCIE intends to “identify market participants offering, selling, trading, and managing these products or considering or actively seeking to offer these products and then assess the extent of their activities.” For those firms that are identified as “actively seeking” to offer digital assets, OCIE examinations will then focus on, among other things, “portfolio management of digital assets, trading, safety of client funds and assets, pricing of client portfolios, compliance, and internal controls.”

Cybersecurity

Cybersecurity will continue to be a focus of each OCIE examination program, especially registrants’ “policies and procedures related to retail trading information security” and, with respect to investment advisers, cybersecurity practices of advisers with multiple branch offices.

Anti-Money Laundering Programs

OCIE notes that examiners will continue to prioritize broker-dealer compliance with applicable AML requirements, including proper filing of suspicious activity reports and robust and independent testing of their AML programs.

Conclusion

While the priorities indicate where OCIE intends to focus resources in the coming year, registrants should not expect examinations to be limited to the issues highlighted above. It is important to note that the 2019 OCIE priorities not only reflect Chairman Jay Clayton’s prior emphasis on Main Street investors, technological changes and cybersecurity, but also continue to reflect a considerable degree of continuity with the priorities of the SEC under prior Chair Mary Jo White. With this in mind, firms may want to review their policies and procedures and conduct internal compliance reviews.